ePub(345.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(408.0 KB) View on Kindle device or Kindle app on multiple devices
Updated:October 5, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the configuration for Cloud OnRamp for Software as a Service (SaaS) using branch local exit.
Cisco recommends that you have knowledge of the Cisco Software-Defined Wide Area Network (SD-WAN).
The information in this document is based on these software and hardware versions:
Cisco vManage version 20.9.4
Cisco WAN Edge router version 17.9.3a
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
For an organization using SD-WAN, a branch site typically routes SaaS application traffic by default over SD-WAN overlay links to a data center. From the data center, the SaaS traffic reaches the SaaS server.
For example, in a large organization with a central data center and branch sites, employees can use Office 365 at a branch site. By default, the Office 365 traffic at a branch site is routed over an SD-WAN overlay link to a centralized data center and, from DIA exit, to the Office 365 cloud server.
This document covers this scenario: If the branch site has a direct internet access (DIA) connection, you can improve performance by routing the SaaS traffic through the local DIA, bypassing the data center.
Note: Configuring Cloud OnRamp for SaaS when a site uses a loopback as a transport locator (TLOC) interface is not supported.
Enable NAT on the Transport Interface
Navigate to Feature Template . Choose the Transport VPN interface template and Enable NAT.
Enable Interface NAT
CLI Equivalent Configuration:
interface GigabitEthernet2 ip nat outside
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet2 overload ip nat translation tcp-timeout 3600 ip nat translation udp-timeout 60
Create a Centralized AAR Policy
In order to establish a Centralized policy, you must adhere to this procedure:
Step 1. Create a Site list:
VPN Interface NAT Template
Step 2. Create a VPN list:
Centralized Policy Custom Site List
Step 3. Configure the Traffic Rules and create the Application Aware Routing Policy.
Application Aware Route Policy
Step 4. Add the policy to the intendedSites and VPN: